Introduction

This document describes how you can configure Zimbra Collaboration Server (ZCS) and Samba to act as a primary domain controller (PDC) that uses LDAP (Lightweight Directory Access Protocol) as a central password database for authenticating users on Linux and Windows desktops. The motivation behind this document is the need to seamlessly integrate ZCS into corporate network environment based entirely on Open Source server software. This functionality is achieved by configuring Zimbra LDAP to act as a central user database for PAM (Pluggable Authentication Modules), NSS (Name Service Switch), and for Samba's ldapsam password backend. The document also describes Zimbra Admin Extensions that allow managing OS and Samba accounts, groups and domains through Zimbra Admin UI.

The setup described in this document is not the only possible way to make Samba and Zimbra use the same user database for authentication. There are multiple other ways to achieve similar functionality, and it is recommended that you explore Zimbra WIKI at http://wiki.zimbra.com to see if another solution is a better fit for your needs. However, this solution is the only solution that allows network administrators to manage Windows user accounts and groups using Zimbra Admin UI. It is also highly recommended to get familiar with Zimbra, Samba, LDAP and PAM, before you start the installation. Particularly helpful are the following sources of information:

Intended audience

This document is intended mainly for network administrators who are faced with the task of integrating multiple OpenSource software packages to support a corporate network. The author assumes that the reader has basic knowledge of Linux/Unix OS, is capable of using a text editor and is at least vaguely familiar with Zimbra, Samba, LDAP and PAM. If these four words sound foreign to you, please take some time to look at the aforementioned sources of helpful information, or even better – have them open in separate tabs in Firefox on your second monitor while you are following the directions in this document ;)

ToDo

Fix creation of resources from the admin UI to work with the uidNumber attribute (you can provision them manually using zmprov as a workaround)

During new account creation, don't allow clicking of the finish button until user has filled out all required fields, including the posix and samba ones. Or maybe put in some reasonable default values so the finish button does not raise an error.

UBUNTU: you will hit this bug after installing the ldap libraries for pam and nss [1] (Fixed in 5.0.7_GA_2444.UBUNTU6)

The use of memberUid in POSIX Groups doesn't work (version 5.0.9). It requests an integer but it should contain the username [2]. ldapadd and ldapmodify can be used until this is fixed.

Part 3 describes how to configure Samba server to use Zimbra LDAP as a source of user information and as a Primary Domain Controller

Part 4 describes how to configure a Linux server to use Zimbra LDAP as a central source of user information.

Part 5 describes how to restore the configuration database for Disaster Recovery (6.0.7 and later releases)

Part 1

Installing Zimbra

First, Install Zimbra Collaboration Server (ZCS) (it can be an Open Source or a Network Edition) following Zimbra Installation guides that you can download from the Zimbra website (http://www.zimbra.com/products/documentation.html). Make note of the root LDAP password that is selected during the installation, you will need it to modify your LDAP configuration.

If you have an existing functioning ZCS server, you can use it instead of a new one, but make sure to back up all your data and that you know your LDAP root password (this password was created during ZCS installation - can be found by running the command zmlocalconfig -s zimbra_ldap_password as the zimbra user). This setup works with single- as well as with multi-server Zimbra setups.

Configuring Zimbra LDAP

Before you can configure Zimbra LDAP you need to have the nis.ldif and samba.schema files.

The nis.ldif file already exists in /opt/zimbra/openldap/etc/openldap/schema/ on your ldap server. Skip to the next bullet for instructions on installing it.

samba.schema file depends on the version of Samba that you will be installing. Therefore, I recommend downloading Samba source package for the latest stable version of Samba available for your server's OS and taking samba.schema from examples/LDAP folder in the source package. In this document I am using Samba 3.3.4.

Log in to the shell on your Zimbra LDAP server and become the zimbra user. If you have a multi-server setup this is the machine(s) where the ldap service is running. You will need to install the nis.ldif file and the converted samba.ldif following the instructions found in Installing_custom_ldap_schema on every LDAP server you have installed.

You may also want to add the following indexes. See Adding_ldap_indices for how to do this. They cannot be added until after the schema files are in place.

Note: For these indices to take effect in an existing database that already has values for these attrributes it is advised that you run slapindex with the updated indexing configuration. slapd must be stopped (via ldap stop) prior to running slapindex. This is only an issue for databases where these attributes existed but were not previously indexed.

After you have installed the new schema, restart Zimbra services and make sure that they started successfully.

Now you will need to create two new users for the local posix and samba processes to use to access the information from the LDAP server. Each user will need to have its own unique password for security purposes. You can generate the hash of the password for use with creating the user in ldap with the /opt/zimbra/openldap/slappasswd command. For example, if I wanted to use the passwords "zimbra" and "zimbratoo", I would run:

This will return the SSHA hash I need for the user entries. Create a text file called /tmp/posixusers.ldif that looks similar to the following. You will need to use one password for the uid=zmposix user, and the other password for the uid=zmposixroot user. Write down which password is for what user, as you will need this information later to configure Samba and posix access.

Now add these two new users to the LDAP master. If you have multiple ldap servers, they will be replicated out. You will be prompted for a password, use the password from zmlocalconfig -s ldap_root_password

ldapadd -f /tmp/posixusers.ldif -x -H ldapi:/// -D cn=config -W

Now, you need to adjust the LDAP acls so that these new users can read the data necessary from the LDAP server. This will need to be done on each LDAP server that exists. Create a file called /tmp/acl.ldif and add the following to it. If this is a master with replicas, you need to change the olcDatabase line to be olcDatabase={3}hdb,cn=config in both sections.

In this example I will use the domain gregzimbra1.zimbra.com, which is the name of my Ubuntu Linux machine running inside a VMware instance, hence my ldapSuffix is

dc=gregzimbra1,dc=zimbra,dc=com

Be sure to replace dc=gregzimbra1,dc=zimbra,dc=com with your actual domain

Part 2

Important: If you are upgrading you may need to redeploy these zimlets because the settings in config_template.xml are not remembered.
Also, this seems to be broken on Zimbra 7.2

Extract files from /opt/zimbra/zimlets-admin-extra/zimbra_posixaccount.zip to a folder on your desktop computer, open zimbra_posixaccount folder and edit config_template.xml.

Edit ldapSuffix property in config_template.xml. This property is the path in your LDAP tree where all Linux and Samba user information will be stored. This can be the name of your primary email domain written in the ldap syntax. E.g. if your domain is mycompany.com, then ldapSuffix will be

dc=mycompany,dc=com

In this example I will use the domain gregzimbra1.zimbra.com, which is the name of my Ubuntu Linux machine running inside a VMWare instance, hence my ldapSuffix is

dc=gregzimbra1,dc=zimbra,dc=com

Edit uidBase property in config_template.xml. uidBase is the base for creating Linux user IDs for user accounts that will be stored in LDAP. The first account that you will create through Zimbra Admin UI will have user ID = uidBase+1. If you already have user accounts in your current password database (most likely /etc/passwd) it is recommended that you set this value higher than the maximum existing user account.

Edit gidBase property in config_template.xml. gidBase is the base for creating Linux group IDs for groups that will be stored in LDAP. The first group that you will create through Zimbra Admin UI will have group ID = gidBase+1. It is recommended to make gidBase much bigger than uidBase to avoid ID conflicts with SSID for users and groups (eg. gidBase=uidBase+10000).

Zip all the files that are in zimbra_posixaccount folder into zimbra_posixaccount.zip together with modified config_template.xml (make a flat zip file without folders)

cd zimbra_posixaccount

zip zimbra_posixaccount *.*

Log in to Zimbra Admin (https://yourserver.com:7071/zimbraAdmin) as administrator, navigate to Admin Extensions and deploy zimbra_posixaccount extension using the zimbra_posixaccount.zip file (refer to ZCS Admin Guide for more information about installing Admin Extensions)

Extract files from /opt/zimbra/zimlets-admin-extra/zimbra_samba.zip to a folder on your desktop computer and open config_template.xml (this file is in zimbra_samba folder along with other extension files).

Edit ldapSuffix, uidBase and gidBase properties using the same values as you used in for zimbra_posixaccount.zip

Zip all the files zimbra_samba folder into zimbra_samba.zip together with modified config_template.xml into a flat ZIP file and deploy zimbra_samba Admin Extension.

Reload your Zimbra Admin to initialize the extensions. When the extensions are loaded for the first time, they will check if OUs defined by ldapMachineSuffix and ldapGroupSuffix propertiesin config_template.xml files exist and create these OUs, if they do not exist.

Important: Once the Zimbra schema is extended with the Samba integration, any previous backups are invalid. After completing integration, start a full backup of your ZCS server.

Installing Samba

Install Samba 3 on a Linux/Unix box. I used Samba-3.0.28 which I built from sources on Ubuntu 6.06 server running inside a VMware. If you are building Samba from sources, make sure to enable ldap support. I do not recommend installing Samba on the same machine where you installed Zimbra – better to use a separate machine. I built it with minimum options:

Installing pam_ldap and nss_ldap

You need to install and configure PAM and NSS on the machine where you installed Samba. You can also install it on any Linux desktop that should use Zimbra LDAP as a user database, e.g. Linux desktops where you want to be able to log in using the same username/password that is used for Zimbra Mail.

You need to download and install pam_ldap and nss_ldap modules for your OS. I used Ubuntu Linux which has these modules available as Debian packages through Synaptic Package Manager. If you are using Synaptic Package Manager, make sure to enable community maintained repositories (see Settings->Repositories) and search for libpam-ldap and libnss-ldap packages. If you are using a different Linux, you might need to build these modules from the sources. You can find the Sources for pam_ldap and nss_ldap on http://www.padl.com.

I built and installed both pam_ldap and nss_ldap from the sources downloaded from http://www.padl.com. It take 5 minutes to download and build. If you are building from the sources, you need to edit the LDAP configuration file (ldap.conf) first. This file is in the source folder for both pam_ldap and nss_ldap. This is the contents of my ldap.conf file for both modules:

LDAP search base – enter the same value that you used for ldapSuffix property in zimbra_posixaccount and zimbra_samba extensions. I.e.: dc=yourdomain,dc=com (in my case dc=gregzimbra1,dc=zimbra,dc=com)

LDAP account for root – enter uid=zmposixroot,cn=appaccts,cn=zimbra

LDAP root account password – enter the LDAP root password that you selected for the zmposixroot user back in part 1.

If you are using Synaptic Package Manager to install libpam_ldap, you will be prompted for the following information:

root login password - enter the LDAP root password that you selected for the zmposix user back in part 1.

Ubuntu uses 4 files

/etc/pam_ldap.conf

/etc/pam_ldap.secret

/etc/libnss-ldap.conf

/etc/libnss-ldap.secret

You can create a symlink for these files to /etc/ldap.conf and /etc/ldap.secret, so you have only 2 files to configure. Make sure /etc/ldap.secret is r------.
DO NOT symlink to the /etc/ldap/ldap.conf file, as that file is specifically for the OpenLDAP client configuration, and is very different from the pam/nss ldap configuration.

In RHEL5/CentOS5 both nss_ldap and pam_ldap modules are included in a single nss_ldap rpm package which is a part of base install. They can be configured using authconfig command line utility. (See Configuring pam_ldap and nss_ldap.)

Using delegated administration feature with posix/samba integration

If you are using ZCS Network edition, and you have delegated administrators that were created using default domain administrator rights, you will have to give these administrators additional permissions to read/write new LDAP attributes.
Login to Zimbra Administration Console as global administrator and open the domain admin's account. Click on "Configure Grants" button in the toolbar, then click "Add" button in the toolbar.

Add "write" permissions for the following attributes. Note, that this list is the full list of attributes that your domain admins may need to access, but you should select a subset of these attributes depending on the needs of your domain admins:

This is how the list of direct grants for default domain administrator should look like after you have granted these additional permissions:

Part 3

Configuring Samba

There are many ways to configure Samba depending on what you needs are. In this example I will configure Samba to use Zimbra LDAP as password backend and to act as a primary domain controller for domain GREGZIMBRA1 and as a WINS server for my network. This configuration will allow Windows NT/XP/2000 workstations to join GREGZIMBRA1 domain as if it was an NT domain. Below is the /etc/samba/smb.conf file used in this example.

passdb backend = ldapsam:ldap://gregzimbra1.zimbra.com/ - tells Samba to use ldap as the password backend and to contact Zimbra LDAP server at [ldap://gregzimbra1.zimbra.com/].

ldap admin dn - LDAP DN of a user that Samba will use to bind to Zimbra LDAP. If you decide to change this value later, don't forget to rerun smbpasswd -w command which tells Samba the password to use for binding to LDAP.

ldap suffix - is the name of your Zimbra domain, and it is the same value as the value of ldapSuffix property in config_template.xml files.

ldap group suffix - is the same value as the value of ldapGroupSuffix in config_template.xml files.

ldap machine suffix - is the same value as the value of ldapMachineSuffix in config_template.xml files.

the value of ldap user suffix must be ou=people, because this is where Zimbra account records are stored in LDAP.

After you edited smb.conf file, you need to tell Samba what is the root password for ldap. On your Samba server, restart samba services (/usr/sbin/smbd and /usr/sbin/nmbd) run the following command (replace test123 with your password for uid=zmposixroot,cn=appaccts,cn=zimbra).

Creating Samba domain using Zimbra Admin UI

Restart Samba. Then, log in to Zimbra Admin and click on Samba Domains. You should see a domain entry in the list. When Samba started up with the new smb.conf file it should have looked up the domain entry in LDAP and created it if it could not find the entry.

Part 4

Configuring pam_ldap and nss_ldap

Edit /etc/nsswitch.conf file. Replace these two lines:

passwd: compat
group: compat

with these lines:

passwd: files ldap
group: files ldap

this change will tell nsswitch to use ldap when it looks for uids and gids. It will first look at /etc/passwd and then at ldap. You may want to change these lines differently if you know what you are doing ;)

Edit /etc/pam.d/common-account. It should look like the following:

account sufficient pam_unix.so
account sufficient pam_ldap.so

Edit /etc/pam.d/common-auth. It should look like the following:

auth sufficient pam_ldap.so
auth sufficient pam_unix.so

Edit /etc/pam.d/common-password. It should look like the following:

password sufficient pam_unix.so
password sufficient pam_ldap.so

Edit /etc/pam.d/common-session. It should look like the following:

session sufficient pam_unix.so
session sufficient pam_ldap.so

You may want to first add to the session section the following line to automatically create a home directory when the user login for the first time

session required pam_mkhomedir.so skel=/etc/skel umask=0077

If you use pam_limits.so with /etc/security/limits.conf make sure the line is first in the common-session file

session required pam_limits.so

Be very careful when you use "sufficient pam_ldap.so" in Debian's and Ubuntu's /etc/pam.d/common-* files: Some services can place other "required" PAM-modules after the includes, which will be ignored if pam_ldap.so succeeds.

Now you need to test whether pam_ldap and nssswitch are working correctly. Log in to Zimbra Admin UI (https://yourserver.com:7071/zimbraAdmin) as Administrator and create a couple of new user accounts. On the New Account Wizard you should see two additional steps (after “Advanced” step): Posix Account and Samba Account

Configuring on RHEL5/CentOS5/Fedora7 using authconfig

As root run authconfig --test. It will display current settings for both nss_ldap and pam_ldap. In most cases the following command will do the job (although some manual editing will still be needed):

The last parameter will update /etc/ldap.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth configuration files. The only file which requires manual editing is /etc/ldap.conf.

The base line should be already there. It is inserted by authconfig. You should also see a uri line with the address of your ldap server. The host, binddn, bindpw, rootbinddn lines should be added as explained above and /etc/ldap.secret file should exist and contain a password.

The issue with a single /etc/ldap.conf configuration file for both nss_ldap and pam_ldap is that host and uri can work together in Zimbra-specific configuration only if we also add bind_policy soft option. The modified /etc/ldap.conf should look like this:

The last four lines are optional and are added to make the Zimbra nss_ldap setup compatible with the Webmin’s LDAP Client and LDAP Users and Groups modules. {The latter module would allow you to add secondary groups to your Zimbra/Samba accounts etc.)

Any additional lines added by authconfig would not hurt. However you shall have to re-check /etc/ldap.conf every time you run authconfig with –-update or -–updateall switch. If it sees the host line, the command disables it and moves the host address value to uri line. This breaks pam_ldap an Zimbra might even fail to start.

Creating Linux and Samba groups using Zimbra Admin UI

Log in to Zimbra Admin UI. You should not have logged out of it anyway, because we are not done yet. Go to Posix Groups and click “New”. If you do not know what to type in group type field – type 2, this is the default value.

To test if PAM on your Samba server is reading the group information correctly from Zimbra LDAP, go back to your Samba server shell and run this command as root:

>getent group

you should see the group(s) that you just created in the list that is produced.

Creating Linux and Samba users using Zimbra Admin UI

Back to the Zimbra Admin UI :). Go to Accounts and hit New, fill in the information on the first screen and follow the wizard to the Posix Account screen. Fill in all the required fields on the Posix Account screen and click Next to go to Samba Account screen. Fill in the required fields and click Finish. To test if PAM on your Samba server is reading the user password information correctly from Zimbra LDAP, go back to your Samba server shell and run this command as root:

getent passwd

you should see the Zimbra accounts that you just created in the list. Create a home folder for the new Zmbra user and try to change the current user to the newly created one. In this example, I create a user ubuntu2, and home folder /home/ubuntu2

root@gregzimbra2:/home/ubuntu# su - ubuntu2
ubuntu2@gregzimbra2:~$

Now test if Samba authenticates your new user correctly. In this example I went to the shell on my Zimbra server box and ran this command (as root):

smbclient -U ubuntu2 //gregzimbra2.zimbra.com/ubuntu2

It should prompt you for the password and then log in to ubuntu2's home folder on gregzimbra2 Samba server.

Next, log in to Zimbra Admin UI, click on Aliases and remove root@.gregzimbra1.zimbra.com alias. Then run

smbpasswd -a root

To add posixAccount attributes to the previously established users (before ldap schema change) you can run command:

Creating Windows NT Domain groups

Next, create “Domain Admins” group using Zimbra Admin UI, on Samba tab select Special Windows group type “Domain Admins”. Then you need to grant privileges to this group. Run the following command as root on your Samba server. Put your domain name instead of GREGZIMBRA1. More information on this topic is available in Official Samba HOWTO Reference Guide (http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/).

Adding Windows NT/2000/XP machines to Samba domain

Log in to an Windows desktop as a local administrator and join the Samba domain the same way you would be joining a Windows domain. You might need to point your Windows box to your Samba WINS server depending on how your DHCP and DNS servers are configured. Use a member of “Domain Admins” group to join the domain. After you joined the domain, verify that the machine account was added to ldap directory by running ldapsearch command. I.e. if your windows desktop machine name is gregvmxp2:

Part 5

Disaster Recovery

Starting with the 6.0.7 release, zmbackupldap will back up the entire configuration database as well as the main database. In the case of a disaster where the configuration and main databases are lost, this will allow recovery of the specific schema, ACL modifications, etc, that were made. To recover the configuration database, do the following:

This assumes that ldap-config.bak is in your current working directory.

5.0.x to 6.0.x upgrade note

It is not necessary to use the steps outlined in this wiki when upgrading from 5.0.x to 6.0.x when you already have the samba/posix zimlets installed. However, a few steps are necessary for the old-style anonymous access for PAM/NSS/Samba to work. For upgrading, the Optimizing_5.0_to_6.0_LDAP_upgrade wiki should be followed. If you used anonymous pam access then the following commands will need to be run as the zimbra user. Note: If this is a master, change {2}hdb to {3}hdb.

Zimbra powers collaboration for the way you work. Zimbra connects people and information with unified collaboration software that includes email, calendaring, file sharing, activity streams, social communities and more. With technology designed for social, mobile and the cloud, Zimbra gives individuals the flexibility to work from virtually anywhere, through nearly every computer, tablet and mobile device.